With an increase of credit card data breaches in recent years, protection of credit card information is top of mind both for organizations and customers. To better protect payment card data, the Payment Card Industry Data Security Standard (PCI DSS) was established to create a set of security regulations that govern the protection of this data for all organizations that accept, process, store, or transmit credit card information. Failure to comply with the established security standards can result in serious fines and a tarnished reputation.
A large healthcare system was notified that it is now required to report compliance as one entity, rather than separate small business units (individual gift shops, parking garages, pharmacies, etc.). Since level of responsibility is based on the number of yearly credit card transactions, this consolidation increased their responsibility of reporting.
The healthcare system was only given a year and a half to become compliant at the new level, but with only one employee handling this effort, additional support was needed. Through existing relationships, the client learned of Sendero’s experience with PCI Compliance and requested assistance.
With an increase of credit card data breaches in recent years, protection of credit card information is top of mind both for organizations and customers.
Sendero worked with the existing PCI Lead to perform a current state assessment and remediate gaps.
This assessment included:
- Interviewing the 22 managers of entities accepting card payments, including gift shops, retail pharmacies, and parking garages to better understand their current processes and policies
- Evaluating 11 third-party payment applications used to capture payment information in the different lines of business
After gathering the current-state information, the findings were compared against the PCI DSS regulations to identify the gaps needing remediation.
Through existing relationships, the client learned of Sendero's experience with PCI Compliance and requested assistance.
To address the gaps, we completed the following remediation activities:
- Established a centralized inventory tracking platform to track the hundreds of payment devices used and introduced regular checks for each device
- Resolved security vulnerabilities found during Penetration Testing, such as system hardening and removing weak passwords
- Terminated or altered processes that were deemed risky (e.g., eliminating the writing down of payment card data, changing the customer service call recording settings to stop recording when discussing payment data)
- Implemented yearly mandatory PCI Awareness Training for all employees
- Established written standards for new implementations of payment processes/applications
The healthcare system submitted the necessary compliance reports before the deadline, and the healthcare system was placed in good standing with PCI.